?
Solved

DNS Split / IP DNS Question

Posted on 2009-02-16
14
Medium Priority
?
1,801 Views
Last Modified: 2012-05-06
Hi,

I am trying to achieve a method of using a Cisco router as a DNS Server to push requests for the internal domain (i.e. abccompany.local) to the local DNS server(s), and all other requests to Public DNS Servers.

The situation currently is that home workers connect using Cisco 800 Series Routers with IPSec VPN to the main office.  This works just fine and I have enabled our internal DNS Servers inside the DHCP scope on the home based users routers.

Example:
ip dhcp pool pool1
   import all
   network 192.168.104.0 255.255.255.0
   dns-server 172.16.0.242 172.16.0.245
   default-router 192.168.104.1
   lease 7

This is working just fine, however this method is pushing all DNS requests to the internal Servers.  

I know how to configure the router as a DNS Server, but not how to achieve the above?  I read up on Split DNS but cant seem to apply what I'm thinking above or by other means, so I guess I'm misunderstanding the doc!  

Supporting info on this around the internet seems to be really limited.  All I can find is either using the router as a DNS Server, or pushing out Public/Private DNS Server addresses through DHCP.

Any example configs and/or help would be greatly appreciated!  I don't even necessarily need to go down the Split DNS route, just some way of achieving the above.

Thanks,

Kevin

0
Comment
Question by:itdeptneci
  • 5
  • 5
  • 2
  • +2
14 Comments
 
LVL 19

Expert Comment

by:lamaslany
ID: 23654293
Why not allow your DNS server to answer all requests?  Just set up the forwarding servers on the DNS server to be the public DNS servers to answer the non-abccompany.local requests.
0
 

Author Comment

by:itdeptneci
ID: 23654519
Thanks for answering..

You mean allow my internal DNS Servers to forward the request?  If so, then yes they are already doing this.  However this isn't what I am trying to achieve.  I only want the routers at remote locations to query my internal DNS servers for domains which the internal DNS servers are authoritive.  

Maybe I didn't explain very well!  The remote users 192.168.x.x connect to the main office 172.16.x.x via VPN tunnel.  The DNS Servers are located at the main office (172.16.0.242, 172.16.0.245).  These are authoritive for the domain abccompany.local, and forward other queries to ISP DNS Servers.  

I want each Router located at individual Remote/Home users location, to forward queries for the internal domain (abccompany.local) to the internal dns servers 172.16.0.242, 172.16.0.245, and all other queries to its own public DNS Servers specified in ip name-server.
0
 
LVL 5

Expert Comment

by:ifreq
ID: 23655524
What will you achieve by doing such weird DNS-split? I totally agree with lamaslany comment. Is there any harm that your internal DNS will forward internet queries from your network? Its the basic setup usually.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:bevhost
ID: 23655975
I'm not sure why you want to do this, you must have some need but you haven't described it for us.  We must try to guess what your problem is.

Perhaps you could add a third public DNS IP address to your DNS Server list.
eg
dns-server 172.16.0.242 172.16.0.245 61.88.88.88
0
 

Author Comment

by:itdeptneci
ID: 23657205
The reason for wanting to do this is to reduce the amount of DNS queries my Internal DNS servers are handling.  At the moment every remote connection which establishes a connection to the VPN tunnel is directing all DNS queries to my internal DNS servers.

So the 1st point for wanting to do this is to reduce the amount of DNS queries passed down the vpn tunnel.  So only DNS queries for my Active Directory Domain (abccompany.local) are passed to my internal DNS servers.  Any other queries (i.e google.co.uk, bbc.co.uk) are not passed down the tunnel but to public DNS Servers.  

The 2nd point is that if for example the tunnel is down, the router can still pass DNS queries to the public DNS servers.

If you also refer to the Split DNS Cisco document (http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html), refer to Ability to Offload Internet Traffic from the Corporate DNS Server and Split DNS Operation, this offers a good explanation to do this.

bevhost..If I add a third public DNS IP address to my list as you state.  Then yes it would work in the case of the tunnel being down, but this is still not defining seperate views for each dns-server 172.16.0.242/245 handles abccompany.local, 61.88.88.88 handles all other.
0
 
LVL 19

Expert Comment

by:bevhost
ID: 23657650
If the router is a DNS Server in it's own right then your DHCP pool should give out the router as the DNS
eg
ip dhcp pool pool1
   import all
   network 192.168.104.0 255.255.255.0
   dns-server 192.168.104.1
   default-router 192.168.104.1
   lease 7
0
 

Author Comment

by:itdeptneci
ID: 23657680
bevhost..yes I know this.  See my 1st post, pushing out DNS Server address in DHCP scope.

But it still does not deal with the question in hand..Split DNS.

I am now looking at Cisco forums to find the answer, where I already see some other posts relating to Split DNS..so hopefully I will get my answer this way.
0
 
LVL 19

Expert Comment

by:bevhost
ID: 23657749
I have not heard of Split DNS doing what you suggest.
I have heard of there being two views of abccompany.local or more commonly abccompany.com where the internal requestors can see all the internal hosts and external requestors can only see the externally visible hosts.
eg internal mail.abcompany.com resolves to 192.168.x.y internally and 1.2.3.4 externally.
eg your answer will depend on your point of view.

Split DNS is complicated to understand and configure, so Microsoft decided in its infinite wisdom to make sure that internal hosts could not be visible to external users by suggesting that everyone use internal domains that cannot be looked up on the global internet thereby achieving seperation that way.  Your internal PC's can't be looked up by external users because there is no GTLD servers for .local

DNS on the other hand has been designed so that it is difficult to poison the chain of delegation to prevent domain hijacking etc.  if any router can easily be programmed to re-route dns queries to some other server at will, goodness only knows what kind of mess could be created.
0
 
LVL 19

Expert Comment

by:bevhost
ID: 23657766
You could try configuring the dns on the router to have both internal and external forwarders.
Requests for both internal and external addresses & domains will still be sent to all forwarders, but once the dns server has received an answer it could cache it for a while.
0
 
LVL 19

Expert Comment

by:bevhost
ID: 23657776
Once upon a time (before BIND 8 or 9) split dns was acheived by having to DNS servers, one for internal and one for external.
DNS views allow you to run both servers on the same instance of named and send a different reply depending on who's asking.
0
 
LVL 2

Expert Comment

by:ensermo
ID: 24334974
itdeptneci:I had the same problem and I understand what you want to do.
I have implemented a solution on our 800 Routers.

Well officially DNS support was introduced in Cisco IOS release 12.4(9)T;
So check first if the router has this version or later.
I believe some of the advanced commands can only be done from CLI (not SDM)

The only "solution" that I have been able to find is to use the Cisco 800 router as the DNS server locally
So do not use the remote DNS server (on the VPN).

You setup the router as a DNS caching server and you can use the ip host configuration command to pre-populate the DNS cache with for example your "local domain" servers. (It is the same as using host files locally on a PC)

This site explains DNS on Cisco Routers very well and all it's commands.
http://www.nil.si/ipcorner/RouterDNS/
0
 

Author Comment

by:itdeptneci
ID: 24335095
Hi Ensermo,

Thanks for the feedback.

I don't suppose you could by chance post a sanitized example of one your 800 configs for me could you?  Always easier to doctor an already working example ;-)

Many Thanks,

Kevin
0
 
LVL 2

Accepted Solution

by:
ensermo earned 2000 total points
ID: 24335697
Yes no problem.

Here are the commands I use. Our local internal computers use DHCP and receive their information from the DHCP (The 800 router)

ip domain name maincompany.local

ip dns view default
 domain name-server  192.168.1.1 (*** DNS server on main location)
 domain name-server  4.2.2.2  (*** External/Local ISP DNS server)
 domain resolver source-interface Vlan1 (*** This is the internal network that will use DNS)
 domain name-server interface Vlan1 (*** Uses the DNS information specified in DHCP reply received on the specified interface)
 dns forwarder 192.168.1.1 (*** DNS server on main location)
 dns forwarder 4.2.2.2   (*** External/Local ISP DNS server)

ip dns server
ip dns view-list default


ip dhcp pool INTERNAL_DHCP
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 10.10.10.1  (*** The Cisco 800)
   default-router 10.10.10.1
   domain-name maincompany.local
   netbios-name-server 192.168.240.1  (*** WINS SERVER on other site of VLAN)

This has been working for us as the Cisco will cache DNS entries and make the local clients a little faster.
Also if by any chance VPN is down then the other DNS server should be used. (test it by bringing VPN down and trying new sites from the clients. )
Its not the ideal solution but this is the only DNS functionality Cisco 800 provides.
0
 

Author Comment

by:itdeptneci
ID: 24337275
Many Thanks.

The link you provided previously is very helpful too, its interesting that split dns is broken in 12.4(11).  I don't think I'm alone in struggling with split dns there a few different posts on Cisco Pro Forum.  

Anyway your solution helps a great deal, so thanks again and I'll award you the points.

Kevin
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question